Re: Applying Filtering on NAT'd Packets

To: port-macppc%netbsd.org@localhost, danitt10%yahoo.com@localhost
Subject: Re: Applying Filtering on NAT'd Packets
From: "David H. Gutteridge" <dhgutteridge%sympatico.ca@localhost>
Date: Mon, 2 Sep 2013 18:06:56 -0400

On Mon, 26 Aug 2013, at 11:39:34 -0500, Dani Tekeste wrote:
>Hello, I was hoping I can get some help on this. 
>
>I'm trying to block some packets which I have already applied NAT on but it 
>does not seem to be working. Is there a way to filter packets after applying 
>NAT??
>
>Here is what I'm doing. 
>nat pass on en0 from 192.168.10.31 to 192.168.10.180 -> 192.168.10.33
>
>block drop out on en0 inet proto tcp from 192.168.10.33 port=55555 to 
>192.168.10.180

Hello,

By using the "pass" option in the first line, you've explicitly told
pf not to apply filtering to those NATed packets. As the pf.conf(5)
man page states: "If the pass modifier is given, packets matching
the translation rule are passed without inspecting the filter
rules." (See the "Translation Examples" section of the man page.)

If your goal was to minimize latency by skipping filtering on most
NATed addresses, then you could rewrite the first line to stop at
192.168.10.179 and have a new rule for just 192.168.10.180 that
excludes the "pass" option. (I do find the subnet you've expressed
a little confusing to read, as it overlaps with the translated
address. The behaviour may not be as you expect given 192.168.10.33
is on both sides of the NAT instruction, but I can't say for sure.)

(As an aside, you'd do best to post these sorts of questions to a
mailing list that's not port-specific. netbsd-users or current-users
would be better choices of lists for this topic.)

Regards,

Dave

Prev by Date: Re: Applying Filtering on NAT'd Packets
Next by Date: Re: dual CPU system hangs
Previous by Thread: Re: Applying Filtering on NAT'd Packets
Indexes:

Home | Main Index | Thread Index | Old Index